Installation

If you use any kernel other than linux install the corresponding kernel module.

If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the truecrypt command. Add it to the MODULES array in /etc/rc.conf.

If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:

Add the module to /etc/rc.conf:

MODULES=(truecrypt ...)

Note: It does not appear that loading a module applies with TrueCrypt 7.0a, the current version in Arch as of 4/19/2011. The above advice may be outdated with respect to the module, however it is still important to enable fuse, loop and your encryption algorithm (e.g. AES, XTS, SHA512) in custom kernels.

Encrypting a file as a virtual volume

The following instructions will create a file that will act as a virtual filesystem, allowing you to mount it and store files within the encrypted file. This is a convenient way to store sensitive information, such as financial data or passwords, in a single file that can be accessed from Linux, Windows, or Macs.

To create a new truecrypt file interactively, type the following in a terminal:

Note: Truecrypt requires root privileges and as such, running the above command as a user will attempt to use sudo for authentication. To work with files as a regular user, please see the appropriate section below.

Once mounted, you can copy or create new files within the encrypted directory as if it was any normal directory. When you are you ready to re-encrypt the contents and unmount the directory, run:

$ truecrypt -d

Again, this will require administrator privileges through the use of sudo.

For more information about truecrypt in general, run:

$ man truecrypt

Several options can be passed at the command line, making automated access and creation a simple task. The man page is highly recommended reading.

Encrypting a physical volume

If you want to use a keyfile, create one with this command:

truecrypt --create-keyfile /etc/disk.key

By default both passphrase and key will be needed to unlock the volume.

Create a new volume in the device /dev/sda1:

truecrypt --type normal -c /dev/sda1

Map the volume to /dev/mapper/truecrypt1:

truecrypt -N 1 /dev/sda1

If this command does not for you try this to map the volume:

truecrypt --filesystem=none --slot=1 /dev/sda1

If you want to use another file system than ext3 simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.

mkfs.ext3 /dev/mapper/truecrypt1

Mount the volume:

mount /dev/mapper/truecrypt1 /media/disk

Map and mount a volume:

truecrypt /dev/sda1 /media/disk

Unmount and unmap a volume:

truecrypt -d /dev/sda1

Creating a hidden volume

First, create a normal outer volume as described above.

Map the outer volume to /dev/mapper/truecrypt1:

truecrypt -N 1 /dev/sda1

Create a hidden truecrypt volume in the free space of the outer volume:

truecrypt --type hidden -c /dev/sda1

You need to use another passphrase and/or keyfile here than the one you used for the outer volume.

Unmap the outer truecrypt volume and map the hidden one:

truecrypt -d /dev/sda1
truecrypt -N 1 /dev/sda1

Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.

Automatic mount on login

to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via ps and similar tools, as it is in the process name! source

Safely unmount and unmap volumes (on shutdown)

You can unmount a specific device by

# truecrypt -d /PATH/TO/MOUNTPOINT

or leave away the path to unmount all truecrypt volumes.

If you want your truecrypt device to be unmounted automatically at shutdown, add the following to the file /etc/rc.local.shutdown:

/usr/bin/truecrypt -d
sleep 3

You can also leave away the sleep command, it is just to give the unmounting some time to complete before the actual shutdown.

Errors

TrueCrypt is already running

If a messagebox TrueCrypt is already running appears when starting TrueCrypt, check for a hidden file in the home directory of the concerned user called .TrueCrypt-lock-username. Substitute username with the individual username. Delete the file and start TrueCrypt again.

Deleted stale lockfile

If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. A user in the Ubuntuforum provided the following solution: edit

/etc/gdm/PostSession/Default

and add the following line before exit 0:

kill `ps -ef | grep truecrypt | tr -s ' ' | cut -d ' ' -f 2`

Issues with Unicode file / folder names on NTFS volumes

Should files resp. folders containing Unicode characters in their names be incorrectly or not at all displayed on TrueCrypt NTFS volumes (while e. g. being correctly handled on non-encrypted NTFS partitions), first verify that you have the NTFS-3G driver installed and then create the following symlink as root:

ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs

That will cause TrueCrypt to automatically use this driver for NTFS volumes, having the same effect as the explicit use of

Unmount error (device mapper)

If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box

Do not use kernel cryptographic services

Note: I have only seen this with a truecrypt partition. Not with a truecrypt file.

Failed to set up a loop device

If you get a message "Failed to set up a loop device" when trying to create/mount a TrueCrypt volume, it may be because you updated your kernel recently without rebooting.
Rebooting should fix this error.

Otherwise, check if loop has been loaded as kernel module:

lsmod | grep loop

If not listed, retry the TrueCrypt command after modprobe loop. Should it work, consider to add loop to the MODULES array in /etc/rc.conf.

Note: As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.